Ends in
00
days
00
hrs
00
mins
00
secs
SHOP NOW

🎉 Get 10% OFF and Save Big on All PlayCloud Subscription Plans - PlayCloud Sale!

Find answers, ask questions, and connect with our
community around the world.

Home Forums AWS AWS Certified DevOps Engineer Professional DOP – Configuration Management and Infrastructure as Code – CloudFront Behavior

  • DOP – Configuration Management and Infrastructure as Code – CloudFront Behavior

     Irene-TutorialsDojo updated 2 weeks, 5 days ago 2 Members · 2 Posts
    AWS Certified DevOps Engineer Professional

  • Ariel Tchougang

    Member
    February 15, 2026 at 11:19 pm

    For this question:

    A JavaScript-based online salary calculator hosted on-premises is slated to be migrated to AWS. The application has no server-side code and is just composed of a UI powered by Vue.js and Bootstrap. Since the online calculator may contain sensitive financial data, adding HTTP response headers such as X-Content-Type-Options, X-Frame-Options and X-XSS-Protection should be implemented to comply with the Open Web Application Security Project (OWASP) standards.

    Which of the following is the MOST suitable solution to implement?

    1 – Host the application on an Amazon S3 bucket configured for website hosting, then set up server access logging on the S3 bucket to track user activity. Configure the bucket policy of the S3 bucket to return the required security headers.

    2 – Host the application on an Amazon S3 bucket configured for website hosting, then set up server access logging on the S3 bucket to track user activity. Enable S3 client-side encryption and configure it to return the required security headers.

    3 – Host the application on an Amazon S3 bucket configured for website hosting. Set up an Amazon CloudFront web distribution and set the S3 bucket as the origin with the origin response event set to trigger a Lambda@Edge function. Add the required security headers in the HTTP response using the AWS Lambda function.

    4 – Host the application on an Amazon S3 bucket configured for website hosting. Set up an Amazon CloudFront web distribution and set the S3 bucket as the origin. Set a custom Request and Response Behavior in CloudFront that automatically adds the required security headers in the HTTP response.

    While I understand why you chose option 4, terminology does matter, and “custom Request and Response Behavior” doesn’t really translate into “<strong style=”font-family: inherit; font-size: inherit;”>Response Headers Policy“. So option 3, with this current wording should be the appropriate solution, even though we both agree it’s not the best, for the reasons you listed.

    Anyway thanks again for these kind of challenging/amazing questions, I’m really having a blast 🙂

  • Irene-TutorialsDojo

    Administrator
    February 20, 2026 at 1:48 pm

    Hi Ariel,

    Thank you for the kind words and for this excellent catch — your attention to detail is exactly what makes our community so valuable!

    You’re absolutely right that the phrasing “custom Request and Response Behavior” doesn’t precisely map to AWS’s actual feature name, which is “Response Headers Policy.” We’ve updated the wording of Option 4 to accurately reflect the correct AWS terminology. The changes will be reflected on the portal shortly.

    The correct answer remains Option 4, as CloudFront’s built-in Response Headers Policy is the most suitable and straightforward solution for adding OWASP-recommended security headers — no Lambda@Edge code required.

    Thanks again for helping us keep our content sharp. Keep the feedback coming, we’re glad you’re enjoying the questions! 😊

    Best regards,

    Irene @ Tutorials Dojo

Viewing 1 - 2 of 2 replies

Log in to reply.

Original Post
0 of 0 posts June 2018
Now
Skip to content